[Full-disclosure] [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue

Drupal security advisory DRUPAL-SA-2005-004

Advisory ID: DRUPAL-SA-2005-004
Date: 2005-aug-15
CVE ID: CAN-2005-2498
Security risk: highly critical
Impact: system access
Where: from remote
Vulnerability: arbitrary PHP code execution

Description

Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An
attacker could execute arbitrary PHP code on a target site.

Versions affected

Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a
different one.

Solution

• If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
• If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
• If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline

• Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and
  other PHP projects using the XML-RPC library.
  He plans a coordinated release of all affected
  projects for next week.
• Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
  is spoiled because information about the security
  issue was leaked to the public.
• Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on
  a new release via the security mailing list and IRC.
• Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released.

Contact

The security contact for Drupal can be reached at [email protected]
or using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.

Uwe Hermann <[email protected]>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de